How to configure self sponsored guest access with 5 minutes of initial access?

You might have a requirement where you want self-sponsored guest access wherein users will enter their email address, and they will get an email to sponsor them self. To allow the users to sponsor themselves you can give them 5 minutes of initial access and if they confirm the account they can continue to stay in the same role.

If they fail to sponsor their account or if they enter an invalid email address they should be disconnected after 5 minutes taking them back to the captive portal page.

This way you are making sure that the users are entering a valid email address and also making sure that you give them access to the internet to check their email and approve themselves.

Solution:

We are going to achieve this by making use of a combination of returning a session timeout to the controller and role override of the guest account once the user sponsors them self.

Configuration:

First off you need to make sure that the MAC authentication server group on the Aruba controller is mapped as the ClearPass server. Then we also need to make sure that in the MAC authentication profile of the Aruba controller we check the box that says "Reauthentication" and also "Use server provided Re-authentication Interval" as shown in the screenshot below.

You also need to make sure that ClearPass is mapped as an RFC-3576 server on the corresponding AAA profile on the controller.

Besides these settings the other settings on the Aruba controller are typical of any captive portal setup, making sure that captive portal server-group points to ClearPass.

Next we can move on to the ClearPass Guest Side of things where we configure the self-registration page with the appropriate fields as shown below. You just need to make sure that you include the email field in the form.

In the Sponsor Confirmation section

You need to make sure that you Enable "Require sponsor confirmation prior to enabling the account" and set the "Email Field" to "email" and not sponsor_email as the user himself is the sponsor in this case.

One more important piece of configuration is the Role Override in the same page, where after sponsorship the role would change to configured role helping us determine if the user has sponsored himself.

So, the role initially for the user account can be anything but the role after the user has sponsored his account is "[Employee]"

The 1st service on the ClearPass Policy Manager side of things is a MAC-Auth service where "CP-Self-Reg" is the name of the SSID

where we need to have an [Allow All MAC AUTH]

We need [Allow All MAC AUTH] because for any client that's connecting for the first time, we want to accept the authentication return 5 mins as the session time-out and put it in the captive portal role.

Once the user completes the registration process he will be allowed to login to the network and also receive an email through which he needs to sponsor himself to continue his stay on the network for more than the 5 minutes.

The next step is to configure a filter in the [Guest user Repository], you need to click on the repository and navigate to the Attributes tab

Under Attributes you need to click on "Add More Filters"

You need to put in a Filter Name and we are naming it "Role_Update_Check" it can be any name that makes sense to you.

The query that we need to put is

select attributes::json->>'Role ID' as Current_Role_ID from tips_guest_users where user_id='%{Endpoint:Username}'

The value we are fetching is called "Current_Role_ID" so that needs to be Name of the attribute and the Alias Name can be anything and we are calling it "Current Guest Role"

This query tells us if the user has sponsored their account or not, by fetching the current role id after the user sponsors himself.

You need to add [Guest User Repository] as the authorization source.

Under Roles you can have the following rules as shown in the screenshot to make sure that users who have already authenticated don't keep going back to the captive portal page.

Under Enforcement Policy you need to have the conditions as shown in the screenshot below

A brief explanation of the above rules,

The 1st rule is for cached sponsored Guest users. The 2nd rule is for sponsored users to handle the auth request that comes after 5 minutes.

The 3rd rule is for handling users who have not sponsored their account to handle the auth request after 5 minutes.

The 4th rule is generic catch all rule that applies to all new users.

The Update to Unknown is to make sure that we don't get stuck in a loop trying to keep disconnecting the user.

The Update Role ID to 3 is to make sure that we tag the right Role to the Endpoint after the user sponsors their account.

The Session Timeout 5 minutes is an enforcement profile that returns a Radius:IETF Session-Timeout for 300 seconds which stands for 5 minutes.

Now moving on to the next service which is the MAC caching service where "CP-Self-Reg" is the name of the SSID.

Please find the screenshot of the enforcement policy below

You need to make sure that you update the Endpoint as Known and also update the username along with MAC-Auth Expiry on a successful auth which is typical of any Guest Mac caching setup.

Verification

1st Case : User not sponsoring himself within the initial 5 minutes of access

Output of 1st MAC Auth

Output of user Auth

Output of 2nd MAC Auth after 5 minutes

2nd Case : User Sponsoring himself within the 5 minutes of initial access

Output of 1st MAC Auth

Output of User Auth

Authorization attributes of 2nd MAC Auth

Output of 2nd MAC Auth

From the below outputs we have verified that the user gets disconnected in 5 minutes if they do not sponsor them self. If they do sponsor them self we saw that the client continued to stay on the network in the same role.